Does /ip ipsec installed-sa
print show the H
attribute in the leftmost-but-one column at both peers? If not, there is no support for H
ardware acceleration for the negotiated combination of auth-algorithms and enc-algorithms on the peer which misses the H
. Check this table
, including all the *, **, and ***, to see for what combinations of algorithms the hardware acceleration is available.
If one of the devices is not a Mikrotik one, and you have hardware acceleration at Mikrotik side, the bottleneck is the other device.
One other point is that many small packets give worse throughput than fewer larger packets. So you'll always get better off with file transfers over TCP than with e.g. voice traffic which uses ~250 byte UDP packets.
Triple figthfulness (which is what děs means in Czech) is definitely not a secure choice these days.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.